What is a cyber risk management policy and how do I write one?

The cyber risk management policy answers this question: “What is our risk management philosophy and methodology based on our landscape?” In this policy, you will identify security incidents that could occur based on security incidents that have already happened. Then you will identify how to prevent and remediate those incidents and what the timeline to do so would look like.

Here are four best practices to consider when writing your cyber risk management policy:

Identify and classify vulnerabilities

Do a scan of your platform (including production systems, public Web servers, and applications) to identify vulnerabilities. If you use a vulnerability scanner, the tool will likely score risks based on the CVSS system. CVSS scores range from 0-10 (with 10 being the most severe) and are calculated using metric groups that take several security-related measurements into account. The CVSS system will also assign each discovered risk a severity rating. Once you have identified the technical, physical and administrative risks to your organization. You need to classify the likelihood of each incident occurring, as well as an appropriate severity if it occurred. Both the likelihood and severity rating can be categorized as low, moderate, high or critical. For example, if a hacker got a hold of customer credit card data, that would be considered a high risk and high impact event.

Create an SLA

Use your findings from the vulnerability assessment to create an SLA for time to remediate vulnerabilities. Industry standards for remediation are:

○ Critical: before release or within 7 days of discovery

○ High: before release or within 30 days of discovery

○ Moderate: before release or within 90 days of discovery

○ Low: before release or within 180 days of discovery

Note that before you can entirely create and implement the SLA, you should have gone through the process of data classification. With data classification, you assign labels to information, and those labels give guidance as to how that information should be accessed, used, transmitted, distributed, stored, backed up, retained and destroyed. Doing so will help you better understand the scope and complexity of data involved. It will also help you be more realistic and transparent with your customers about what vulnerabilities your company can address in a given timeframe.

Stay on top of changes

As your company grows and adopts new technologies, your threat surface will evolve too. To stay on top of these changes, perform a vulnerability assessment every six months or when there is a significant change in the system. This assessment can be done using internal teams, but many organizations also enlist the help of outside consultants. For example, it’s common for organizations to outsource quarterly vulnerability scanning on their internal and external systems. That way they can schedule the scans well in advance, and they become one less thing to remember and manage. Remember to update your SLAs at least once a year too.

Get a penetration test

Have a penetration test performed by a third party at least once a year. A penetration test is an exercise where a consultant simulates threats that an actual attacker poses to your organization. For instance, the consultant may send phishing emails to your users in attempts to get valid usernames and passwords to systems on your network. Or you might opt to have the consultant attempt to get past your physical security controls and gain access to your office spaces. It is important to note that vulnerability scan and penetration tests are often used interchangeably, but they are different. A vulnerability assessment looks at what an attacker could do with information about your organization’s vulnerabilities, while a penetration test demonstrates to what extent those risks can potentially be exploited by hackers. To use a physical security analogy, a vulnerability assessment is an equivalent of checking for locked doors and windows without entering your house; a penetration test gives the tester free reign to kick in doors and throw bricks through the windows.

The cyber risk management policy is important – not only for your business, but for your customers too. Your customers have an expectation that you will protect their PII and take proactive security measures to manage and remediate vulnerabilities. This policy demonstrates that you are serious about doing so.